~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IMPORTANT: 
 
Two security issues that may affect Macromedia Flash 
Player have come to our attention recently.

To learn about these new issues and what actions you can
take to address them, Please visit the Security Zone at 
the Macromedia Web site:

http://www.macromedia.com/security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

MPSB02-10 - Macromedia Flash URL Modification Issue

http://www.macromedia.com/v1/handlers/index.cfm?ID=23294 

Originally posted: August 8, 2002 
Last updated: August 8, 2002

 
Summary

Macromedia has received a report of vulnerability in the 
Flash Player that could allow maliciously authored Flash 
content, working in conjunction with other content on a 
Web server, to read the contents of files from the local 
file systems of Flash Player users, and send those contents 
back to Web servers without users' consent or knowledge. 
This vulnerability is limited to files whose locations and 
names are known or guessed ahead of time by attackers. An 
attacker would have to entice the user to a site under his 
control to exploit this vulnerability. This vulnerability 
can never be used to modify or delete local files. All 
Macromedia Flash Players are affected. Macromedia has released 
new versions of all Flash Players fixing this issue; see below. 

~~~~~~~~~~~~~ 

Issues

ActionScript in Flash movies can make requests to load data 
directly from files. A common usage of this ability is loading
 XML files from Web servers. As a security measure, the Flash 
Player prevents Flash movies from loading data that originates
 outside the web domain from which the movie was served. This
 restriction naturally extends to files from local file systems.
 The present vulnerability could allow malicious content to 
bypass this same-domain restriction by loading data from URLs 
that are modified during HTTP negotiation, for example by HTTP 
redirects. Data loaded in this way could be sent back to the 
server from which the malicious Flash content was served. 

This vulnerability also existed in the Netscape and Internet 
Explorer browsers, fixed in February and May of 2002 respectively. 
Internet Explorer for the Mac has not been addressed; Macromedia 
is working with Microsoft to ensure that this issue is addressed
 in the near future.

~~~~~~~~~~~~~ 

Solution 

Customers should download the newer Macromedia Flash Player
immediately.

Macromedia Flash content authors should read the following 
technote: 

http://www.macromedia.com/support/flash/ts/documents/load_xdomain.htm. 

~~~~~~~~~~~~~

What Macromedia Is Doing

Macromedia has isolated the issue and released an updated player 
(6,0,47,0) which is available for download on the Macromedia 
Player Download Center 
(http;//www.macromedia.com/go/getflashplayer/). 

Macromedia’s solution to this problem is generalized: the updated 
Flash Players detect all situations in which URLs are modified 
from their original form. This means that if additional methods 
of causing URL modification are discovered, they will not enable 
attackers to bypass the security rules of the Flash Player. 

Macromedia is committed to the security of the Macromedia Flash
 Player, and invests considerable ongoing effort to ensure that
 the security and privacy of all Macromedia Flash Player users 
and all websites serving Macromedia Flash content are protected. 

Macromedia worked together with an external developer to verify
 and fix this issue. Both are committed to security for their 
customers.

Macromedia Shockwave Player includes a “Flash Asset Xtra” that 
enables the playback of Macromedia Flash files within Shockwave 
content. This Flash Asset Xtra is also affected by the issue 
noted above. It will be updated based upon the revised player 
(6,0,47,0) and included in an updated release of Shockwave Player. 
The exact date of this release will be forthcoming shortly.

~~~~~~~~~~~~~

Revisions
August 8, 2002 - Bulletin first released.
 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
 

MPSB02-09 - Macromedia Flash Malformed Header Vulnerability 
Issue

http://www.macromedia.com/v1/handlers/index.cfm?ID=23293

 
Originally posted: August 8, 2002 
Last updated: August 8, 2002

 
Summary

Macromedia has recently become aware of a vulnerability where a 
hand edited malformed Macromedia Flash movie (SWF) header can be 
exploited to cause a buffer over-write issue which could 
potentially lead to execution of arbitrary code. 

~~~~~~~~~~~~~

Issues

This can only occur with Macromedia Flash movies (SWF) that 
have been hand edited with a binary editor; Macromedia Flash 
the authoring tool will not output movies with this vulnerability. 

~~~~~~~~~~~~~
 
Solution

Customers should follow the recommendations found in this bulletin
 and download the newer Flash Player when it is available.

~~~~~~~~~~~~~
 
What Macromedia Is Doing

Macromedia has isolated the issue and released an updated player 
(6,0,40,0) which is available for download on the Macromedia Player 
Download Center (at (http;//www.macromedia.com/go/getflashplayer/). 

Macromedia is committed to the security of the Macromedia Flash 
Player, and invests considerable ongoing effort to ensure that 
the security and privacy of all Macromedia Flash Player users 
and all websites serving Macromedia Flash content are protected. 

Macromedia worked together with eEye Digital Security to verify 
and fix this issue. Both companies are committed to security for 
their customers.

~~~~~~~~~~~~~

What Customers Should Do 

Customers should follow the recommendations found in this bulletin
and download the newer Flash Player.

~~~~~~~~~~~~~

Revisions

August 8, 2002 - Bulletin first released.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reporting Security Issues 

Macromedia is committed to addressing security issues and 
providing customers with the information on how they can 
protect themselves. If you identify what you believe may 
be a security issue with a Macromedia product, please send 
an email to secure@macromedia.com. We will work to appropriately 
address and communicate the issue.  

~~~~~~~

Receiving Security Bulletins 

When Macromedia becomes aware of a security issue that we 
believe significantly affects our products or customers, 
we will notify customers when appropriate. Typically this 
notification will be in the form of a security bulletin 
explaining the issue and the response. Macromedia customers
 who would like to receive notification of new security bulletins 
when they are released can sign up for our security notification 
service. 

For additional information on security issues at Macromedia, 
please visit the Security Zone at:
http://www.macromedia.com/security

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

THE INFORMATION PROVIDED BY MACROMEDIA IN THIS BULLETIN IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MACROMEDIA 
AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, WHETHER EXPRESS 
OR IMPLIED OR OTHERWISE, INCLUDING THE WARRANTIES OF 
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 
ALSO, THERE IS NO WARRANTY OF NON-INFRINGEMENT, TITLE OR 
QUIET ENJOYMENT. (USA ONLY) SOME STATES DO NOT ALLOW THE 
EXCLUSION OF IMPLIED WARRANTIES, 

SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. IN NO EVENT 
SHALL MACROMEDIA, INC. OR ITS SUPPLIERS BE LIABLE FOR ANY 
DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DIRECT, 
INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, 
COVER,LOSS OF PROFITS, BUSINESS INTERRUPTION OR THE LIKE, 
OR LOSS OF BUSINESS DAMAGES, BASED ON ANY THEORY OF LIABILITY 
INCLUDING BREACH OF CONTRACT, BREACH OF WARRANTY, TORT
(INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, 
EVEN IF MACROMEDIA, INC. OR ITS SUPPLIERS 
OR THEIR 
REPRESENTATIVES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH 
DAMAGES. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION 
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL 
DAMAGES, SO THE ABOVE EXCLUSION OR LIMITATION MAY NOT 
APPLY TO YOU AND YOU MAY ALSO HAVE OTHER LEGAL RIGHTS 
THAT VARY FROM STATE TO STATE. 

Macromedia reserves the right, from time to time, to 
update the information in this document with current 
information.